Aid agencies have put some projects on hold while reviewing the security of a popular online system for handling aid distributions, IRIN has learnt. Sensitive personal and financial data on tens of thousands of people in humanitarian aid projects is at risk from hackers, according to a damning security analysis by a financial technology startup.
In a report, Mautinoa Technologies said it identified several security problems in a software platform used by aid agencies to store the data of vulnerable people, exposing them to "very significant risks". The company behind the platform, Red Rose, denies the claims.
Mautinoa, a new provider of payment systems and technologies, was able to enter a cloud-based server of the NGO, Catholic Relief Services, and access names, photographs, family details, PIN numbers and map coordinates for more than 8,000 families receiving assistance from the NGO in West Africa.
In response, Oxfam, one of several customers of the platform, told IRIN it has temporarily suspended uploading new data, to its Red Rose systems, as a precautionary measure. A spokesperson told IRIN the NGO, depending on its assessment, may review plans to implement the system in Bangladesh, where it is currently training staff. In recent days, a Red Rose server used for a CARE project in West Africa until May was taken offline. IOM told IRIN it is making plans to reduce its use of external vendor support.
The incident is a real-world reminder of the possibility of personal details of aid beneficiaries falling into the wrong hands and the potential for fraud, as aid agencies increasingly turn to voucher systems and digital cash transfers as more efficient forms of assistance.
The risks are significant: gaps in legal and ethical frameworks for humanitarian operations and a lack of professional skills in digital data amount to a disaster waiting to happen, according to a recent paper from the Harvard Humanitarian Initiative.
Humanitarian security analyst Rakesh Bharania, now of Tarian Innovation LLC, and former co-chair of the security and privacy working group of humanitarian-corporate alliance NetHope, told IRIN the risks to vulnerable people are extremely serious and there's an under-appreciated obligation on aid groups and donors to tackle the issue.
To manage its cash and voucher transfers, CRS � like at least 10 other aid groups � uses the web-based system run by Red Rose, a young company based in Turkey and the UK that has rapidly emerged in recent years as a leading vendor of online data management platforms and apps for humanitarian responders.
By following instructions and clues in a public training video, Mautinoa got access to CRS's administrative dashboard, giving it full control to view and edit financial and personal details, and to download data. The system, although not connected to the banking system, contains financial records totalling about $4 million, provided by donors including USAID and the European Commission.
CRS, an NGO which manages $900 million of annual income and works in over 100 countries, confirmed the incident to IRIN, blaming an error in password management, but Mautinoa said it had found deeper flaws in the software. These claims Red Rose vigorously denies.
The revelations could cause a shockwave in the aid sector, according to one analyst. Another said the implications of a bigger security breach could be terrifying for the safety of vulnerable refugees and other people in crisis situations.
In a statement provided to IRIN, Red Rose said this is an isolated incident which we believe does not pose a risk of harm to our clients or beneficiaries. The company argued that the unauthorized access is not a system-related issue, but a username and password management issue. It would however commission an independent full penetration test of its system to review and test its security infrastructure.
Red Rose said Mautinoa's actions were motivated by corporate gain. Mautinoa's access to the system was reckless, the statement said, and likely the result of unlawful activity.
Emerson Tan, the CEO of Mautinoa Technologies, freely acknowledges his company is working on a rival product. Tan has 20 years of experience in cyber-security in government and the private sector and has also worked in humanitarian response for more than a decade. He told IRIN his team were checking on the competition and decided to kick the tyres of the Red Rose system. (Analysts point out that technology companies routinely search for bugs in others' products, one example being Google's Project Zero.) Tan said he had rapidly become alarmed at his findings and decided to alert aid agencies using the platform.
Tan claims many of the problems found are fundamental security flaws and could ultimately expose vulnerable people's identities and locations. His report suggests weaknesses in encryption in the system and that smart cards issued to families on the basis of their aid entitlements could theoretically be faked or manipulated. Red Rose said its smart cards could not be cloned and its security systems are robust and in line with industry standards.
Dominic Chell of UK security consultancy MDSec pointed out the report relied largely on the access possible from a single weak password on only one deployment of the system. He said the report did appear to reveal "very poor cyber-hygiene practices going on," but they did not seem very unusual nor absolutely critical: "we see this stuff all the time".
CRS told IRIN that it would be tightening up its security practice and had already established more stringent requirements for IT vendors. Paul Eagle, vice president of marketing and communications for CRS, told IRIN the organisation was awaiting the outcome of Red Rose's tests: We will wait to pass judgement until we review those results.
Other NGOs using the software defended it.
ZOA is confident in the security of the Red Rose platform, said one, while the Norwegian Refugee Council said: We believe that our current implementation of the Red Rose platform is safe.
Mautinoa's easy access to the CRS system was in large part due to human error, as well as system design, but that doesn't make it any less serious, according to security specialists. Bharania, of Tarian Innovation, told IRIN security vulnerabilities don't have to be fancy or exotic to be problematic.
Several humanitarian professionals contacted by IRIN agreed that this episode, regardless of the details of the software engineering, vividly highlights risks and responsibilities in data management that demand greater attention.
We don't understand the full implications of the data we hold and share, the same way we didn't when we were doing in-kind distributions via Excel, an NGO manager said. I think we are too trusting of companies that say they have data protection under control.
The risks of data
Increasing volumes of personal data are collected from refugees and other aid recipients and stored digitally in the aid industry. These may include names, photos, fingerprints, physical addresses, ID numbers or iris scans, and are stored in a variety of databases and systems managed by aid agencies, banks and private companies. The UN World Food Programme's SCOPEsystem alone has details on 20 million people. These systems allows aid agencies to combat fraud, control expenditure, and offer convenient benefits, such as cash and vouchers. On the flip side, that data, in the wrong hands, could facilitate surveillance, discrimination or persecution.
Senior humanitarian specialist Zehra Rizvi, told IRIN she didn't expect much impact due to structural issues in the sector: "There will be some head-shaking and calls for investigations and better rules and regulations..." However, part of the problem, she argued, is too many aid agencies "ramping up on using technology... and trying to one-up each other" in a rush to be seen as innovative.
It's truly inefficient", she added, suggesting a collaborative research and development effort would be ideal.
Another analyst told IRIN that aid agencies should simply get out of the business of trying to deploy such advanced enterprise-quality software and outsource it to experts in financial services.
Red Rose customers react
Red Rose systems are used by at least nine aid agencies, according to IRIN's search of public sources. Current customers may include: Action contre La Faim, Danish Church Aid, International Committee of the Red Cross (ICRC), International Organisation for Migration, Norwegian Refugee Council, Oxfam, PremiAre Urgence Internationale, UNICEF and ZOA.
An ICRC spokesperson said the organisation was testing out the system in three countries, including Ukraine, with an initial caseload of 9,000 people. Juliette Ebele said no data had been compromised, but that the ICRC took data protection very seriously. She said the organisation, like others, was looking into the platform and Mautinoa's report, and would suspend the pilot project should alleged flaws be confirmed.
Most of the agencies that responded to IRIN's questions, said they would be checking their procedures and were tightening up processes. IOM, which uses the platform for 25,000 Syrians in Turkey, said its data was safe and carefully handled. However in a statement, IOM said it is making plans to reduce its dependence" on external IT vendors, including Red Rose. Some referred to Red Rose's denials and others took aim at the source of the allegations being a competitor. Four had not replied by publication time.
Red Rose, one of few such providers in the non-profit sector, has been used in conflict zones in Syria and Ukraine. Bharania said in locations like these, humanitarian responders find themselves in a theatre of conflict with "some of the most sophisticated threat actors on the planet", often government-sponsored.
He says there is no reason to expect cyber warfare to "spare the organizations that are involved in the humanitarian response (or the people they're trying to help)." In a response to the 2015 Nepal earthquake he reported evidence of a state-sponsored attempt to hack into relief workers' communications.
Bharania believes there is a long way to go to bring up standards in humanitarian data management, and donors need to invest. As well as financing data security, he said finding qualified staff will be challenging, and a system of responsible disclosure alerts and warnings is needed. The new EU General Data Protection Regulation (GDPR) sets stringent rules on personal data and privacy and will be a further wake-up call, he added.